How secure is the Internet of Things?

The Internet of Things is on the cusp of making our lives easier as consumers and business professionals, but are these devices also making us more likely to be targeted by hackers?

Information security is a huge topic of conversation right now, and it’s about to get even bigger. Edward Snowden’s leaks on government surveillance and huge data breaches at Target, JPMorgan, TalkTalk and others made the subject front-page news, and that is likely to continue given the proliferation of the Internet of Things (IoT).

IoT devices, forecast to grow to 50 billion units by 2020, offer consumers and businesses huge amounts of convenience and benefit, but to hackers too they are also a goldmine. This is because such devices represent another piece of hardware or software that can be compromised – and ultimately lead to stolen data or money.

The early signs of IoT security are not encouraging; researchers have already managed to hack everything from Google’s Nest to an internet-connected doll and Canon printer, while significant and exploitable software vulnerabilities have also been found in Wi-Fi light bulbs, smartwatches and Internet-connected baby monitors. There have been questions too on how this affects businesses, if the likes of Nest and Hive are connecting to enterprise Wi-Fi networks.

Security experts have been quick to voice their fears over IoT, with many pointing the finger at device manufacturers.

A recent study of 7,000 IT professionals by cyber-security association ISACA found that 75 percent thought IoT device manufacturers were not implementing sufficient security measures devices, while a further 73 per cent said existing security standards were inadequate.

Speaking to Internet of Business shortly after these results were published, BH Consulting managing director Brian Honan joined the chorus of discontent.

“IoT makes our lives easier and better in many regards, but unfortunately you also have to take into account that, in the rush to get these devices to market, [manufacturers] forget about security.

“We’re seeing IoT devices, from kettles and light bulbs to a range of different products, that are insecure out-of-the-box; they have weak security, default passwords…and can allow people with malicious intent to control those devices for their own needs.

“We also have issue on privacy as lot of these devices can take a lot of information, which is being used by companies to improve services. But if that information falls into wrong hands, that will impact on privacy.”

Attacks aplenty

Ken Munro is CEO and founder of penetration testing outfit PenTest Partners, which has found numerous IoT device vulnerabilities over the last year, and he agrees with Honan that security must be baked-in to products from the start, especially given the fast acceleration of IoT devices.

“The reason I love IoT as a security researcher is that there’s enormous attack surface,” Munro told IoB, adding that attackers can leverage everything from device and mobile application flaws to API and server infrastructure vulnerabilities in order to attack IoT users.

He said that rolling such devices out across staff and customers is simply accentuating that risk.

“Everyone has got access to everything with IoT, and this means that you need firmware, OS, mobile app and coding experts…You need to know how to put apps together with wireless or GSM technology. There’s a massive expansion skillset required in order to adopt IoT.”

“We’re seeing crazy acceleration of IoT devices available, primarily because there’s money to be made, but I think we’re going to see standards starting to become available”. Munro is working on standards at the IoT Security Foundation, and says GSMA are working on something similar for mobile communications.

Munro adds vendors are too often focused on getting goods to market rather than if the device is secure. Some, he says, simply hope to patch the OTA or ‘hope the problems go away’.

Munro, who praised Fitbit for bolstering its own security team at the start of the year, says that IoT flaws, which usually reside in app source code or resolve around weak passwords and unsecured Wi-Fi, can enable attackers to take control of devices locally or remotely. The latter could ultimately lead to larger-scale attacks, such as turning off heating or surveilling a property to see when it not occupied.

Other experts, meanwhile, have cited patch management as a major issue given billions of IoT devices forecast to ship, and say that more elaborate IoT attacks could lead to driverless cars becoming mobile bombs, or connected devices sending malware via botnets or through spam emails.

But benefits outweigh the negatives

Shipping company Maersk reportedly has one of the largest deployments of industrial IoT, using IoT to ensure refrigerated containers all maintain the correct temperature.

Speaking at a recent conference, UK CIO Andy Jones outlined the benefits of the deployment, saying that the firm is now able to monitor goods in real-time via IP-enabled sensors, whereas it previously took engineers two days to check and report on these conditions.

The readings from these sensors are continually fed into Maersk’s monitoring systems via satellite, and any problems at sea can be identified immediately.

Jones says the problem arises where IoT systems are connected to something physical, like braking or airbag systems of vehicles or the heating and cooling systems of buildings. The security challenges are many, not only because of the difficulty in keeping devices and software patched, but also because the internet protocol (IP) used by IoT devices is inherently insecure.

“Combine this with the fact the internet does not have any form of service level agreement, that there are millions of devices in the hands of unsophisticated users, and that the internet is accessible worldwide, and you have the perfect storm,” he said.

Alan Woodward, computing professor at the University of Surrey, added in an interview with IoB: “My big concern from a security perspective…is that IoT is set up using embedded computing, which is notorious for cheap, open-source, off the shelf bits of software and hardware.”

He has concerns over cheap devices and weak patch management, saying on the latter that updating the firmware on embedded IoT systems is ‘extremely difficult’ and ‘problematic’.

“I think IoT has far more potential than ever mainstream computing for being compromised. The Internet of Things is classic area where people are having to relearn all lesson taken 25 years to learn in computing.”

What businesses can do

Munro urges CIOs and other IoT decision makers to be proactive in auditing and managing devices, even it means ‘walking the floors’ to find out what devices are connecting to enterprise networks.

The CIO, he says, must think “really seriously” what data could be compromised if system breach, what hackers access to, and if segregated [on the network]. carry out risk assessment.

Jones is optimistic of the future, but advises isolating IoT devices on risk. “Any risk assessment should include the criminal mindset and learn from past analogies,” he said. Woodward urges for companies to roll-out IoT policies of use, so users clearly know their data can be wiped and devices managed.